Cheval de troie

Question

Bonjour,
    
Ce poste est un appel a l'aide,je suis infecté de virus. Quelqu'un pourrait t'il m'indiqué ce que je dois fixer dans ce rapport de hijackthis,merci d'avance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:59:25, on 12/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32undll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32	askmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.neuf.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\WIRELE~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - C:\Microgaming\Poker\UnibetpokerMPP\MPPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dll
O15 - Trusted Zone: http://www.secuser.com
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} (ULiveCtrl Control) - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f002.mail.caramail.lycos.fr/app/uploader/FileUploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BD126C7-CBBF-4E86-9A99-2B7F79B8C7A5}: NameServer = 212.27.54.252,212.27.53.252
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BD126C7-CBBF-4E86-9A99-2B7F79B8C7A5}: NameServer = 212.27.54.252,212.27.53.252
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Office Source Engine (ose) - Funk Software, Inc. - (no file)

Vyger · Answer

O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} (ULiveCtrl Control) - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe
O23 - Service: Office Source Engine (ose) - Funk Software, Inc. - (no file)

023 est suspect, porte ouverte au trojans et virus...

fixe 'fixe checked", reboot en mode sans echec et scan antispyware (spybotSD) et ton antivirus
redemarre et repost un log

a+

papyber · Answer

tu es infecté
Télécharge SDFix  d’ Andy Manchesta sur ton bureau
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
 
clic double sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau.
Redémarre ton ordinateur en mode sans échec
Comment aller en Mode sans échec lettre C 
https://forum.pcastuces.com/sujet.asp?f=25&s=3902 
1) Redémarre ton ordi 
2) Tapote la touche F8 immédiatement, (F5 sur certains PC) juste après le "Bip" 
3) Tu verras un écran avec options de démarrage apparaître 
4) Choisi la première option : Sans Échec, et valide avec "Entrée" 
5) Choisi ton compte régulier, et non Administrateur 

Ouvre le dossier SDFix qui vient d'être créé sur le Bureau et clic double sur RunThis.bat
 Appuie sur Y pour commencer le nettoyage.
Il va supprimer les services et les entrées du Registre infectés puis  te demandera d'appuyer sur une touche pour redémarrer.
Appuie sur une touche pour redémarrer le PC.
Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter  et supprimer des fichiers.
Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
Enfin, poste le contenu du fichier Report.txt dans ta prochaine réponse sur le forum,

maracana · Answer

Bonjour,

J'ai fait ce que tu m'as dit viger. Et apres tout ça mon antivirus détecte deux virus au redémraaage:
C:\DOCUME~1\Amaury\LOCALS~1\Temp\gjeeyvun.dll
C:\DOCUME~1\Amaury\LOCALS~1\Temp
cdtfwis.dll
qui correspondent à Win32:TratBHO [Trj].

voici le nouveau log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:13:08, on 13/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.neuf.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\WIRELE~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - C:\Microgaming\Poker\UnibetpokerMPP\MPPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dll
O15 - Trusted Zone: http://www.secuser.com
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f002.mail.caramail.lycos.fr/app/uploader/FileUploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BD126C7-CBBF-4E86-9A99-2B7F79B8C7A5}: NameServer = 212.27.54.252,212.27.53.252
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BD126C7-CBBF-4E86-9A99-2B7F79B8C7A5}: NameServer = 212.27.54.252,212.27.53.252
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Office Source Engine (ose) - Funk Software, Inc. - (no file)

maracana · Answer

Pour papyber

voici le rapport:


SDFix: Version 1.142

Run by Amaury on 13/02/2008 at 18:27

Microsoft Windows XP [version 5.1.2600]

Running From: C:\DOCUME~1\Amaury\Bureau\f-vmonde\SDFix

Safe Mode:
Checking Services: 


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files: 

No Trojan Files Found




Folder C:\Program Files\Insider - Removed


Removing Temp Files...

ADS Check:
 


                                 Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 18:42:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,4a,1e,32,1e,dd,ec,57,8d,2e,72,7e,3e,8c,7b,6b,8a,42,..
"hj34z0"=hex:30,1e,ba,03,91,2e,68,4a,81,27,7c,fe,d6,84,fc,0b,06,0f,a8,2b,50,..

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 391


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Amaury\Application Data\SopCast\adv\SopAdver.exe"="C:\Documents and Settings\Amaury\Application Data\SopCast\adv\SopAdver.exe:*:Enabled:SopAdver"
"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast"
"C:\Program Files\HomePlayer1.5.0.2\HomePlayer.exe"="C:\Program Files\HomePlayer1.5.0.2\HomePlayer.exe:*:Enabled:HomePlayer"
"C:\Program Files\PpStream Fr\PPStream.exe"="C:\Program Files\PpStream Fr\PPStream.exe:*:Enabled:PPStream.exe"
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe"="C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Assistance … distance - Windows Messenger et voix"
"C:\WINDOWS\system32\java.exe"="C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\TFPTools3_0\VLC\vlc.exe"="C:\TFPTools3_0\VLC\vlc.exe:*:Enabled:VLC media player"
"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Disabled:SopCast Adver"
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"C:\TFPTools3_0\TFPTools.exe"="C:\TFPTools3_0\TFPTools.exe:*:Enabled:TFPTools"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\TVAnts\Tvants.exe"="C:\Program Files\TVAnts\Tvants.exe:*:Enabled:TVAnts"
"C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe"="C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:*:Disabled:Football Manager 2008"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files:
---------------


Files with Hidden Attributes:

Wed 13 Oct 2004     1,694,208 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Thu  5 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008     1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008     5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008     2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed  2 Mar 2005         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 16 Nov 2006             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu  7 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a2180e39176e52eb6ee31f3dab112b6e\BIT1.tmp"
Tue  6 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ad213d081e2675ef87a62c73b8abf209\BIT1.tmp"
Tue  6 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cfbcb3a3d65e5711f4e0a6b970ad92ef\BIT2.tmp"

Finished!

papyber · Answer

où en es tu?
poste un rapport hijack this

maracana · Answer

Bonsoir Papyber,

Comme je te disais précedemment,

J'ai fait ce que tu m'as dit viger. Et apres tout ça mon antivirus détecte deux virus au redémraaage: 
C:\DOCUME~1\Amaury\LOCALS~1\Temp\gjeeyvun.dll 
C:\DOCUME~1\Amaury\LOCALS~1\Temp
cdtfwis.dll 
qui correspondent à Win32:TratBHO [Trj]. 

Ensuite je suis alle sur le post http://www.commentcamarche.net/forum/affich 4549845 comment supprimer le virus win32 tratbho
en faisant plus ou moins les démarches décristes dans le post. Ca va nettement mieux mais il me semble que je peux encore faire du vide sur la base de registre. Voici le rapport :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:58:48, on 14/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {3E148F86-07D9-479B-9C66-F58C5B770522} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {43408E72-84F2-4489-9717-1F40287F66AA} - C:\WINDOWS\system32\ljhhe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AB76A837-492E-4792-8ABD-0EBBEE3775F0} - C:\WINDOWS\system32\urspn.dll (file missing)
O2 - BHO: (no name) - {DA00CDCA-56BB-4171-8101-B4230DCB73A8} - C:\WINDOWS\system32\xxwvu.dll (file missing)
O2 - BHO: (no name) - {E60729E8-D1B8-4F6D-AF3A-BFEDFA60D5C5} - C:\WINDOWS\system32\hgday.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\WIRELE~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - C:\Microgaming\Poker\UnibetpokerMPP\MPPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dll
O15 - Trusted Zone: http://www.secuser.com
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f002.mail.caramail.lycos.fr/app/uploader/FileUploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BD126C7-CBBF-4E86-9A99-2B7F79B8C7A5}: NameServer = 212.27.54.252,212.27.53.252
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BD126C7-CBBF-4E86-9A99-2B7F79B8C7A5}: NameServer = 212.27.54.252,212.27.53.252
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Office Source Engine (ose) - Funk Software, Inc. - (no file)

papyber · Answer

ce qui serait bon, c'est que tu postes les rapports des outils que tu as passés afin de vérifier s'il y a ou pas des restes d'infection

lance hijack this pour un scan et coche les lignes suivantes
  O2 - BHO: (no name) - {3E148F86-07D9-479B-9C66-F58C5B770522} - C:\WINDOWS\system32\awtss.dll (file missing)
  O2 - BHO: (no name) - {43408E72-84F2-4489-9717-1F40287F66AA} - C:\WINDOWS\system32\ljhhe.dll (file missing)
  O2 - BHO: (no name) - {AB76A837-492E-4792-8ABD-0EBBEE3775F0} - C:\WINDOWS\system32\urspn.dll (file missing)
  O2 - BHO: (no name) - {DA00CDCA-56BB-4171-8101-B4230DCB73A8} - C:\WINDOWS\system32\xxwvu.dll (file missing)
  O2 - BHO: (no name) - {E60729E8-D1B8-4F6D-AF3A-BFEDFA60D5C5} - C:\WINDOWS\system32\hgday.dll (file missing)
 
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')   NT
  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')    T
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')    
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')   
  O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
  O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
  
ferme toutes tes fenêtres y compris internet et clique sur fix checked

maracana · Answer

J'ai passé VirtumundoBegone.exe, voici le rapport:

[02/13/2008, 20:31:45] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Amaury\Bureau\VirtumundoBeGone.exe" )
[02/13/2008, 20:31:52] - Detected System Information:
[02/13/2008, 20:31:52] -  Windows Version: 5.1.2600, Service Pack 2
[02/13/2008, 20:31:52] -  Current Username: Amaury (Admin)
[02/13/2008, 20:31:52] -  Windows is in NORMAL mode.
[02/13/2008, 20:31:52] - Searching for Browser Helper Objects:
[02/13/2008, 20:31:52] -  BHO 1: {0498FB38-C644-46D9-A891-2001C28F866C} ()
[02/13/2008, 20:31:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:52] -  Checking for HKLM\...\Winlogon\Notify\ursqq
[02/13/2008, 20:31:52] -  Key not found: HKLM\...\Winlogon\Notify\ursqq, continuing.
[02/13/2008, 20:31:52] -  BHO 2: {3E148F86-07D9-479B-9C66-F58C5B770522} ()
[02/13/2008, 20:31:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:52] -  Checking for HKLM\...\Winlogon\Notify\awtss
[02/13/2008, 20:31:52] -  Key not found: HKLM\...\Winlogon\Notify\awtss, continuing.
[02/13/2008, 20:31:52] -  BHO 3: {43408E72-84F2-4489-9717-1F40287F66AA} ()
[02/13/2008, 20:31:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:52] -  Checking for HKLM\...\Winlogon\Notify\ljhhe
[02/13/2008, 20:31:52] -  Key not found: HKLM\...\Winlogon\Notify\ljhhe, continuing.
[02/13/2008, 20:31:52] -  BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)

J'ai passé SDfix dont voici le scan:


SDFix: Version 1.142

Run by Amaury on 13/02/2008 at 18:27

Microsoft Windows XP [version 5.1.2600]

Running From: C:\DOCUME~1\Amaury\Bureau\f-vmonde\SDFix

Safe Mode:
Checking Services: 


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files: 

No Trojan Files Found




Folder C:\Program Files\Insider - Removed


Removing Temp Files...

ADS Check:
 


                                 Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 18:42:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,4a,1e,32,1e,dd,ec,57,8d,2e,72,7e,3e,8c,7b,6b,8a,42,..
"hj34z0"=hex:30,1e,ba,03,91,2e,68,4a,81,27,7c,fe,d6,84,fc,0b,06,0f,a8,2b,50,..

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 391


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Amaury\Application Data\SopCast\adv\SopAdver.exe"="C:\Documents and Settings\Amaury\Application Data\SopCast\adv\SopAdver.exe:*:Enabled:SopAdver"
"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast"
"C:\Program Files\HomePlayer1.5.0.2\HomePlayer.exe"="C:\Program Files\HomePlayer1.5.0.2\HomePlayer.exe:*:Enabled:HomePlayer"
"C:\Program Files\PpStream Fr\PPStream.exe"="C:\Program Files\PpStream Fr\PPStream.exe:*:Enabled:PPStream.exe"
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe"="C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Assistance … distance - Windows Messenger et voix"
"C:\WINDOWS\system32\java.exe"="C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\TFPTools3_0\VLC\vlc.exe"="C:\TFPTools3_0\VLC\vlc.exe:*:Enabled:VLC media player"
"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Disabled:SopCast Adver"
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"C:\TFPTools3_0\TFPTools.exe"="C:\TFPTools3_0\TFPTools.exe:*:Enabled:TFPTools"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\TVAnts\Tvants.exe"="C:\Program Files\TVAnts\Tvants.exe:*:Enabled:TVAnts"
"C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe"="C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:*:Disabled:Football Manager 2008"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files:
---------------


Files with Hidden Attributes:

Wed 13 Oct 2004     1,694,208 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Thu  5 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008     1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008     5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008     2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed  2 Mar 2005         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 16 Nov 2006             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu  7 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a2180e39176e52eb6ee31f3dab112b6e\BIT1.tmp"
Tue  6 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ad213d081e2675ef87a62c73b8abf209\BIT1.tmp"
Tue  6 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cfbcb3a3d65e5711f4e0a6b970ad92ef\BIT2.tmp"

Finished!


J'ai passé combofix dont voici le rapport:

2004-08-05 13:00      132096    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir
2004-10-28 02:23      728576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\_000009_.tmp.dll.vir
2008-02-08 21:18      405125    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sstwa.ini.vir
2008-02-08 21:19      405185    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sstwa.ini2.vir
2008-02-09 13:17      406824    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uvwxx.ini2.vir
2008-02-09 13:17      407470    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uvwxx.ini.vir
2008-02-09 16:05      398602    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32
psru.ini2.vir
2008-02-09 16:07      398602    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32
psru.ini.vir
2008-02-11 22:21      419471    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ehhjl.ini2.vir
2008-02-11 22:23      419566    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ehhjl.ini.vir
2008-02-13 04:54      312438    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\yadgh.ini2.vir
2008-02-13 04:57      312438    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\yadgh.ini.vir
2008-02-13 05:04      334336    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ursqq.dll.vir
2008-02-13 21:04      316254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\qqsru.ini2.vir
2008-02-13 21:05      316254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\qqsru.ini.vir
2008-02-13 21:06      152    --a------    C:\Qoobox\Quarantine\catchme.log
2008-02-13 21:06      295177    --a------    C:\Qoobox\Quarantine\catchme2008-02-13_210939.98.zip


et j'ai passé msn fix mais je retrouve plus le rapport.

Je peux voir avec les rapports que j'étais beaucoup infecté. Mais pas assez expert.
[02/13/2008, 20:31:52] -  BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/13/2008, 20:31:52] -  BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[02/13/2008, 20:31:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:52] -  No filename found. Continuing.
[02/13/2008, 20:31:52] -  BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Programme d'aide de l'Assistant de connexion Windows Live)
[02/13/2008, 20:31:52] -  BHO 8: {AB76A837-492E-4792-8ABD-0EBBEE3775F0} ()
[02/13/2008, 20:31:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:52] -  Checking for HKLM\...\Winlogon\Notify\urspn
[02/13/2008, 20:31:52] -  Key not found: HKLM\...\Winlogon\Notify\urspn, continuing.
[02/13/2008, 20:31:52] -  BHO 9: {DA00CDCA-56BB-4171-8101-B4230DCB73A8} ()
[02/13/2008, 20:31:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:52] -  Checking for HKLM\...\Winlogon\Notify\xxwvu
[02/13/2008, 20:31:52] -  Key not found: HKLM\...\Winlogon\Notify\xxwvu, continuing.
[02/13/2008, 20:31:52] -  BHO 10: {E0EA1F31-B58F-47E8-A185-20C52DF9F168} ()
[02/13/2008, 20:31:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:52] -  Checking for HKLM\...\Winlogon\Notify\efcddaw
[02/13/2008, 20:31:52] -  Found: HKLM\...\Winlogon\Notify\efcddaw - This is probably Virtumundo.
[02/13/2008, 20:31:52] -  Assigning {E0EA1F31-B58F-47E8-A185-20C52DF9F168} MSEvents Object
[02/13/2008, 20:31:52] - BHO list has been changed! Starting over...
[02/13/2008, 20:31:52] -  BHO 1: {0498FB38-C644-46D9-A891-2001C28F866C} ()
[02/13/2008, 20:31:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:52] -  Checking for HKLM\...\Winlogon\Notify\ursqq
[02/13/2008, 20:31:53] -  Key not found: HKLM\...\Winlogon\Notify\ursqq, continuing.
[02/13/2008, 20:31:53] -  BHO 2: {3E148F86-07D9-479B-9C66-F58C5B770522} ()
[02/13/2008, 20:31:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:53] -  Checking for HKLM\...\Winlogon\Notify\awtss
[02/13/2008, 20:31:53] -  Key not found: HKLM\...\Winlogon\Notify\awtss, continuing.
[02/13/2008, 20:31:53] -  BHO 3: {43408E72-84F2-4489-9717-1F40287F66AA} ()
[02/13/2008, 20:31:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:53] -  Checking for HKLM\...\Winlogon\Notify\ljhhe
[02/13/2008, 20:31:53] -  Key not found: HKLM\...\Winlogon\Notify\ljhhe, continuing.
[02/13/2008, 20:31:53] -  BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/13/2008, 20:31:53] -  BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/13/2008, 20:31:53] -  BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[02/13/2008, 20:31:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:53] -  No filename found. Continuing.
[02/13/2008, 20:31:53] -  BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Programme d'aide de l'Assistant de connexion Windows Live)
[02/13/2008, 20:31:53] -  BHO 8: {AB76A837-492E-4792-8ABD-0EBBEE3775F0} ()
[02/13/2008, 20:31:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:53] -  Checking for HKLM\...\Winlogon\Notify\urspn
[02/13/2008, 20:31:53] -  Key not found: HKLM\...\Winlogon\Notify\urspn, continuing.
[02/13/2008, 20:31:53] -  BHO 9: {DA00CDCA-56BB-4171-8101-B4230DCB73A8} ()
[02/13/2008, 20:31:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:53] -  Checking for HKLM\...\Winlogon\Notify\xxwvu
[02/13/2008, 20:31:53] -  Key not found: HKLM\...\Winlogon\Notify\xxwvu, continuing.
[02/13/2008, 20:31:54] -  BHO 10: {E0EA1F31-B58F-47E8-A185-20C52DF9F168} (MSEvents Object)
[02/13/2008, 20:31:54] - ALERT: Found MSEvents Object!
[02/13/2008, 20:31:54] -  BHO 11: {E60729E8-D1B8-4F6D-AF3A-BFEDFA60D5C5} ()
[02/13/2008, 20:31:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:54] -  Checking for HKLM\...\Winlogon\Notify\hgday
[02/13/2008, 20:31:54] -  Key not found: HKLM\...\Winlogon\Notify\hgday, continuing.
[02/13/2008, 20:31:54] - Finished Searching Browser Helper Objects
[02/13/2008, 20:31:54] - *** Detected MSEvents Object
[02/13/2008, 20:31:54] - Trying to remove MSEvents Object...
[02/13/2008, 20:31:55] -    Terminating Process: IEXPLORE.EXE
[02/13/2008, 20:31:55] -    Terminating Process: RUNDLL32.EXE
[02/13/2008, 20:31:55] -    Disabling Automatic Shell Restart
[02/13/2008, 20:31:55] -    Terminating Process: EXPLORER.EXE
[02/13/2008, 20:31:56] -    Suspending the NT Session Manager System Service
[02/13/2008, 20:31:56] -    Terminating Windows NT Logon/Logoff Manager
[02/13/2008, 20:31:56] -    Re-enabling Automatic Shell Restart
[02/13/2008, 20:31:56] -   File to disable: C:\WINDOWS\system32\efcddaw.dll
[02/13/2008, 20:31:56] -  Renaming C:\WINDOWS\system32\efcddaw.dll -> C:\WINDOWS\system32\efcddaw.dll.vir
[02/13/2008, 20:31:57] -  File successfully renamed!
[02/13/2008, 20:31:57] -   Removing HKLM\...\Browser Helper Objects\{E0EA1F31-B58F-47E8-A185-20C52DF9F168}
[02/13/2008, 20:31:58] -   Removing HKCR\CLSID\{E0EA1F31-B58F-47E8-A185-20C52DF9F168}
[02/13/2008, 20:31:58] -   Adding Kill Bit for ActiveX for GUID: {E0EA1F31-B58F-47E8-A185-20C52DF9F168}
[02/13/2008, 20:31:58] -   Deleting ATLEvents/MSEvents Registry entries
[02/13/2008, 20:31:58] -   Removing HKLM\...\Winlogon\Notify\efcddaw
[02/13/2008, 20:31:58] - Searching for Browser Helper Objects:
[02/13/2008, 20:31:58] -  BHO 1: {0498FB38-C644-46D9-A891-2001C28F866C} ()
[02/13/2008, 20:31:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:58] -  Checking for HKLM\...\Winlogon\Notify\ursqq
[02/13/2008, 20:31:58] -  Key not found: HKLM\...\Winlogon\Notify\ursqq, continuing.
[02/13/2008, 20:31:58] -  BHO 2: {3E148F86-07D9-479B-9C66-F58C5B770522} ()
[02/13/2008, 20:31:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:58] -  Checking for HKLM\...\Winlogon\Notify\awtss
[02/13/2008, 20:31:58] -  Key not found: HKLM\...\Winlogon\Notify\awtss, continuing.
[02/13/2008, 20:31:58] -  BHO 3: {43408E72-84F2-4489-9717-1F40287F66AA} ()
[02/13/2008, 20:31:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:59] -  Checking for HKLM\...\Winlogon\Notify\ljhhe
[02/13/2008, 20:31:59] -  Key not found: HKLM\...\Winlogon\Notify\ljhhe, continuing.
[02/13/2008, 20:31:59] -  BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/13/2008, 20:31:59] -  BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/13/2008, 20:31:59] -  BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[02/13/2008, 20:31:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:59] -  No filename found. Continuing.
[02/13/2008, 20:31:59] -  BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Programme d'aide de l'Assistant de connexion Windows Live)
[02/13/2008, 20:31:59] -  BHO 8: {AB76A837-492E-4792-8ABD-0EBBEE3775F0} ()
[02/13/2008, 20:31:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:59] -  Checking for HKLM\...\Winlogon\Notify\urspn
[02/13/2008, 20:31:59] -  Key not found: HKLM\...\Winlogon\Notify\urspn, continuing.
[02/13/2008, 20:31:59] -  BHO 9: {DA00CDCA-56BB-4171-8101-B4230DCB73A8} ()
[02/13/2008, 20:31:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:59] -  Checking for HKLM\...\Winlogon\Notify\xxwvu
[02/13/2008, 20:31:59] -  Key not found: HKLM\...\Winlogon\Notify\xxwvu, continuing.
[02/13/2008, 20:31:59] -  BHO 10: {E60729E8-D1B8-4F6D-AF3A-BFEDFA60D5C5} ()
[02/13/2008, 20:31:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:31:59] -  Checking for HKLM\...\Winlogon\Notify\hgday
[02/13/2008, 20:31:59] -  Key not found: HKLM\...\Winlogon\Notify\hgday, continuing.
[02/13/2008, 20:31:59] - Finished Searching Browser Helper Objects
[02/13/2008, 20:31:59] - Finishing up...
[02/13/2008, 20:31:59] - A restart is needed.
[02/13/2008, 20:32:02] - Attempting to Restart via STOP error (Blue Screen!)

[02/13/2008, 20:42:36] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Amaury\Bureau\VirtumundoBeGone.exe" )
[02/13/2008, 20:42:47] - Detected System Information:
[02/13/2008, 20:42:47] -  Windows Version: 5.1.2600, Service Pack 2
[02/13/2008, 20:42:47] -  Current Username: Amaury (Admin)
[02/13/2008, 20:42:47] -  Windows is in NORMAL mode.
[02/13/2008, 20:42:47] - Searching for Browser Helper Objects:
[02/13/2008, 20:42:47] -  BHO 1: {3E148F86-07D9-479B-9C66-F58C5B770522} ()
[02/13/2008, 20:42:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:42:48] -  Checking for HKLM\...\Winlogon\Notify\awtss
[02/13/2008, 20:42:48] -  Key not found: HKLM\...\Winlogon\Notify\awtss, continuing.
[02/13/2008, 20:42:48] -  BHO 2: {43408E72-84F2-4489-9717-1F40287F66AA} ()
[02/13/2008, 20:42:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:42:48] -  Checking for HKLM\...\Winlogon\Notify\ljhhe
[02/13/2008, 20:42:48] -  Key not found: HKLM\...\Winlogon\Notify\ljhhe, continuing.
[02/13/2008, 20:42:48] -  BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/13/2008, 20:42:48] -  BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/13/2008, 20:42:48] -  BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[02/13/2008, 20:42:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:42:48] -  No filename found. Continuing.
[02/13/2008, 20:42:48] -  BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Programme d'aide de l'Assistant de connexion Windows Live)
[02/13/2008, 20:42:48] -  BHO 7: {AB76A837-492E-4792-8ABD-0EBBEE3775F0} ()
[02/13/2008, 20:42:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:42:48] -  Checking for HKLM\...\Winlogon\Notify\urspn
[02/13/2008, 20:42:48] -  Key not found: HKLM\...\Winlogon\Notify\urspn, continuing.
[02/13/2008, 20:42:48] -  BHO 8: {C0084558-1EF1-4220-AEF5-6C0DBEA82C6A} ()
[02/13/2008, 20:42:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:42:48] -  Checking for HKLM\...\Winlogon\Notify\ursqq
[02/13/2008, 20:42:48] -  Key not found: HKLM\...\Winlogon\Notify\ursqq, continuing.
[02/13/2008, 20:42:48] -  BHO 9: {DA00CDCA-56BB-4171-8101-B4230DCB73A8} ()
[02/13/2008, 20:42:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:42:48] -  Checking for HKLM\...\Winlogon\Notify\xxwvu
[02/13/2008, 20:42:48] -  Key not found: HKLM\...\Winlogon\Notify\xxwvu, continuing.
[02/13/2008, 20:42:48] -  BHO 10: {E60729E8-D1B8-4F6D-AF3A-BFEDFA60D5C5} ()
[02/13/2008, 20:42:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/13/2008, 20:42:48] -  Checking for HKLM\...\Winlogon\Notify\hgday
[02/13/2008, 20:42:48] -  Key not found: HKLM\...\Winlogon\Notify\hgday, continuing.
[02/13/2008, 20:42:48] - Finished Searching Browser Helper Objects
[02/13/2008, 20:42:48] - Finishing up...
[02/13/2008, 20:42:48] - Nothing found! Exiting...

papyber · Answer

ok
tu vas supprimer ces programmes, tous
ensuite tu télécharges à nouveau Combofix, il faut toujours la toute dernière version, et tu scannes ton PC
Télécharge combofix.exe (par sUBs) sur ton Bureau
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
désactive ton antivirus, antispyware, et Spybot (résident) durant l'utilisation de ComboFix . Merci. Tu réactives ensuite.
Double clique combofix.exe.
Tape sur la touche Y (Yes) pour démarrer le scan.
Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse
NOTE : Le rapport se trouve également ici : C:\Combofix.txt
c'est ce rapport que je veux, complet, afin de voir s'il reste ou pas quelque chose

maracana · Answer

Bonsoir Papyber,

Voici le rapport:

ComboFix 08-02-16.2 - Amaury 2008-02-16 0:26:08.2 - NTFSx86
Endroit: C:\Documents and Settings\Amaury\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration

[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
.

((((((((((((((((((((((((((((( Fichiers créés 2008-01-16 to 2008-02-16 ))))))))))))))))))))))))))))))))))))
.

2008-02-14 21:44 . 2008-02-14 21:44 <REP> d-------- C:\Program Files\Avira
2008-02-14 21:44 . 2008-02-14 21:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-13 18:22 . 2008-02-13 18:23 <REP> d-------- C:\WINDOWS\ERUNT
2008-02-12 21:54 . 2008-02-12 21:54 <REP> d-------- C:\Program Files\Trend Micro
2008-02-11 23:07 . 2008-02-12 19:28 <REP> d-------- C:\WINDOWS\BDOSCAN8
2008-02-11 20:28 . 2008-02-11 21:35 <REP> d-------- C:\Program Files\RegCleaner
2008-02-11 19:53 . 2008-02-11 20:11 <REP> d-------- C:\Documents and Settings\Amaury\Application Data\RegClean
2008-02-11 19:52 . 2008-02-11 20:19 <REP> d-------- C:\Program Files\RegClean
2008-02-11 01:25 . 2008-02-11 01:25 <REP> d-------- C:\Program Files\Lavasoft
2008-02-11 01:25 . 2008-02-11 01:28 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-11 01:22 . 2008-02-11 01:22 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-08 21:21 . 2008-02-08 21:21 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-08 20:34 . 2008-02-10 21:23 <REP> d-------- C:\Documents and Settings\Amaury\Application Data\PrevxCSI
2008-02-08 17:13 . 2008-02-08 17:10 36,053,585 --a------ C:\WINDOWS\LPT$VPN.987
2008-02-08 17:10 . 2008-02-08 17:10 36,053,585 --a------ C:\WINDOWS\VPTNFILE.987
2008-02-08 17:09 . 2008-02-08 17:11 <REP> d-------- C:\WINDOWS\AU_Temp
2008-02-07 22:22 . 2008-02-07 22:22 38,400 --a------ C:\WINDOWS\system32\efcddaw.dll.vir
2008-02-05 18:52 . 2008-02-05 18:52 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-02-05 18:45 . 2008-02-05 19:35 <REP> d-------- C:\Documents and Settings\Amaury\Application Data\Sports Interactive
2008-02-05 18:34 . 2008-02-05 18:34 <REP> dr-h----- C:\Documents and Settings\Amaury\Application Data\SecuROM
2008-02-05 18:34 . 2008-02-05 18:34 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-02-04 21:27 . 2008-02-04 21:27 <REP> d-------- C:\Program Files\TurnTool
2008-01-30 20:36 . 2008-01-30 20:36 <REP> d-------- C:\Program Files\TVAnts
2008-01-25 20:41 . 2008-01-25 20:46 <REP> d--hsc--- C:\Program Files\Fichiers communs\WindowsLiveInstaller
2008-01-24 20:13 . 2008-01-24 20:13 <REP> d-------- C:\Documents and Settings\Administrateur\Contacts

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 17:27 --------- d-----w C:\Program Files\HomePlayer1.5.3.1
2008-02-14 20:36 --------- d-----w C:\Documents and Settings\Amaury\Application Data\The Bat!
2008-02-08 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-08 16:11 267,845 ----a-w C:\WINDOWS\tsc.exe
2008-02-08 16:10 86,094 ----a-w C:\WINDOWS\BPMNT.dll
2008-02-08 16:10 71,749 ----a-w C:\WINDOWS\hcextoutput.dll
2008-02-08 16:10 1,163,344 ----a-w C:\WINDOWS\vsapi32.dll
2008-02-08 15:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-06 17:02 --------- d-----w C:\Program Files\LIVEUPDATE
2008-02-05 18:28 --------- d-----w C:\Program Files\eMule
2008-02-03 21:02 --------- d-----w C:\Program Files\PokerStars
2008-01-30 20:53 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-01-30 20:53 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-01-28 18:50 --------- d-----w C:\Program Files\Nikon
2008-01-25 19:41 --------- d-----w C:\Program Files\Windows Live
2008-01-25 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-25 18:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-25 18:43 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-20 22:12 --------- d-----w C:\Documents and Settings\Amaury\Application Data\Skype
2008-01-14 22:22 --------- d-----w C:\Documents and Settings\Amaury\Application Data\ABBYY
2008-01-14 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\ABBYY
2008-01-09 18:02 --------- d-----w C:\Documents and Settings\Amaury\Application Data\Microgaming
2007-12-28 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-17 18:14 --------- d-----w C:\Program Files\SopCast
2007-12-17 18:13 --------- d-----w C:\Documents and Settings\Amaury\Application Data\SopCast
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:08 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 09:32 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 09:29 77824]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-07-24 04:49 102400]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-07-24 04:49 684032]
"mouseElf"="C:\PROGRA~1\WIRELE~1\GNETMOUS.EXE" [2003-02-12 15:01 176128]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-21 05:00 88363 C:\WINDOWS\AGRSMMSG.exe]
"adiras"="adiras.exe" []
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 09:32 114688]
"Openwares LiveUpdate"="C:\Program Files\LiveUpdate\LiveUpdate.exe" [2003-12-13 18:17 61440]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [2004-07-02 17:45 970810]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 04:42 577536 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-06 12:56 282624]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-14 21:49 249896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 2006-02-25 13:41 106496 C:\WINDOWS\system32\odyEvent.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Adobe Acrobat Speed Launcher.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Adobe Gamma Loader.exe.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^BlueSoleil.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2004-03-21 17:20 186880 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" -lang 1033
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

R2 NwSapAgent;Agent SAP;C:\WINDOWS\system32\svchost.exe [2004-08-05 13:00]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2004-07-02 16:44]
R3 PRISM_A00;PRISM 802.11 Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys [2004-07-20 19:16]
S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 15:32]
S3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2003-01-22 17:31]
S3 RDID1027;EDIROL PCR;C:\WINDOWS\system32\Drivers\rdwm1027.sys [2003-04-11 12:40]
S4 Boonty Games;Boonty Games;"C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe" [2005-06-17 19:49]

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-12 02:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean.Amaury)Runs RegClean to optimize your registry.
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 00:32:43
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
Temps d'accomplissement: 2008-02-16 0:34:30
.
2008-02-14 00:58:12 --- E O F ---

Encore Merci!!

papyber · Answer

recherche et supprime
C:\WINDOWS\system32\efcddaw.dll.vir

faire un scan antivirus en ligne avec Internet explorer et accepter l'ActiveX
poster le rapport ici ensuite
https://www.bitdefender.fr/ 

En bas, à gauche de la fenêtre, clique sur BitDefender SCAN ONLINE 
Dans la nouvelle fenêtre, clique sur j’accepte 
La fenêtre change encore, clique sur scanner 
Les signatures se chargent, etc. 

tuto en image
http://pageperso.aol.fr/rginformatique/mapage/defender.htm

maracana · Answer

Bonjour,

Voici le dernier rapport de bitdefender, apparement il reste des trucs sur la base de registre:

BitDefender Online Scanner - Rapport virus en temps réel
  
  
 
Généré à: Sat, Feb 16, 2008 - 12:02:57
 

--------------------------------------------------------------------------------

 
  
  
 
Info d'analyse
  
  
 
Fichiers scannés
 267710
 
Infectés Fichiers
 3
 
  
  
 
 
  
  
 
Virus Détectés
  
  
 
Trojan.Vundo.Gen.2
 3
 
  
  
 
 
  
  
 
 

--------------------------------------------------------------------------------
  
  
 
Ce sommaire du processus d'analyse sera utilisé par les laboratoires Antivirus BitDefender pour créer des statistiques agréguées sur l'activité des virus dans le monde.

papyber · Answer

il me faut le rapport complet...

Cheval de troie

13 réponses

Votre réponse

Discussions similaires

Newsletters